MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
SHA3-384 hash: 0edb192e88bad3eb9f55af2b9be508b2586633ffb3e614c79d80c05946f170dd7fbe8384c5b022fc177ad91317b78b55
SHA1 hash: c4b0c3e114a9d31d7957f873ee0a87731fd16148
MD5 hash: d895b9c76dd01f74ed7ac569214bd908
humanhash: six-vegan-cold-shade
File name:SecuriteInfo.com.Win32.PWSX-gen.8337.19865
Download: download sample
Signature Formbook
Create hunting rule
File size:1'055'232 bytes
First seen:2022-12-09 05:27:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:FSfCp6q+gk0huWQks+28p9NpH6tvqrTlzqepF:FjJc9dks+2O9eVqV
TLSH T175257CD5ABF2A026F88B33612419369DDC36BD433756E15A27763B1082F18FFB698443
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 6b4b346153455121 (9 x Formbook)
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344584/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8337.19865.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6392c764f6e448d42df7c152/reports/11a12603-5d2e-466a-a23a-c73a16dd0ff0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c01afe71-0822-4d50-9520-23fd2c22e4bb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131219
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763943 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 6 other signatures 2->64 10 IgppHjCOS.exe 5 2->10         started        13 SecuriteInfo.com.Win32.PWSX-gen.8337.19865.exe 7 2->13         started        process3 file4 72 Machine Learning detection for dropped file 10->72 74 Tries to detect virtualization through RDTSC time measurements 10->74 76 Injects a PE file into a foreign processes 10->76 16 IgppHjCOS.exe 10->16         started        19 schtasks.exe 1 10->19         started        42 C:\Users\user\AppData\Roaming\IgppHjCOS.exe, PE32 13->42 dropped 44 C:\Users\...\IgppHjCOS.exe:Zone.Identifier, ASCII 13->44 dropped 46 C:\Users\user\AppData\Local\...\tmpA7C0.tmp, XML 13->46 dropped 48 SecuriteInfo.com.W....8337.19865.exe.log, ASCII 13->48 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 13->78 80 Adds a directory exclusion to Windows Defender 13->80 21 powershell.exe 20 13->21         started        23 schtasks.exe 1 13->23         started        25 SecuriteInfo.com.Win32.PWSX-gen.8337.19865.exe 13->25         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 16->50 52 Maps a DLL or memory area into another process 16->52 54 Sample uses process hollowing technique 16->54 56 Queues an APC in another process (thread injection) 16->56 27 explorer.exe 16->27 injected 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        process8 process9 35 explorer.exe 27->35         started        signatures10 66 Modifies the context of a thread in another process (thread injection) 35->66 68 Maps a DLL or memory area into another process 35->68 70 Tries to detect virtualization through RDTSC time measurements 35->70 38 cmd.exe 1 35->38         started        process11 process12 40 conhost.exe 38->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2/
Threat name:
Win32.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 05:28:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 26 (80.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cuwv54m736v3jaurrvirjcaexvjcpzcoh22qa7omynd3b3ufqxja._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ci07 rat spyware stealer trojan
Link:
https://tria.ge/reports/221209-f51nlscd83/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6804b89c-6e1a-492f-a532-ef49fcd7f3f1
Unpacked files
SH256 hash:
df140d439eac7c6b3d92b93f099289a3c5aab8bb2700f76e96fe3cf1a5896c56
MD5 hash:
344610dcf21c8e20223b966898b761fe
SHA1 hash:
d4f36442fd63c9dbb8d70b6bf3f6dc06d2f6dfd5
Detections:
FormBook
Create hunting rule
win_formbook_auto
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/e3e08288-8884-4a95-a8c5-fd65b19768b4/
Parent samples :
901e0cc15f4525b844025cc57959ee5dc434844ba318e9f1349589ba965c1f53
794ff32dcb5a26819bea2fa85f82ee36dae53a5d6a6d2e42790801bfb018cda7
8cde8e6a8021c1d4d221179126d6fdd2a2a20a2b24f57fc20202f86640350f96
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
9405e5517f3a40a2dafc9e86359aa53e211af30c4fe1a7f77b24bd42ccc36354
9d6d28627c34f8d225dde0a78d27418d461ea3a35e6bc4afa0f50e9cb8bc1b21
94950eecd04b39b6b5e9e79f403ff8d5413ffd9d8176d8af0dc059862b720cf1
8ac5dceeed786e06a01cec7ce9d550a0f48c50511ad81db887c69fd5d720ff3e
a78e65c599449ae8f781711a5b432c95fd1c7ebbb4bb1c9353087e79b62f6489
59fe1ecfcc9a304108971209bdd1656f033bf0ef51744babf253394d58b10bbc
f2a813ed5d99e263f28a0b9224ae1d4f484b606cab37305b56c75a70cff31518
SH256 hash:
dc6e73dd76ccd2f0f82ebdcfc3b091af768500a8dfe88acfc3e2a6a44b4ddf0d
MD5 hash:
1eaa5403b73cebc76995f3e53f4a7964
SHA1 hash:
688bbccd5276ee322eda170524b358cbc13f0858
Link:
https://www.unpac.me/results/e3e08288-8884-4a95-a8c5-fd65b19768b4/
SH256 hash:
922915132a628d0050bf03a473370544dde3323627fb4adcba3f1ba869537e50
MD5 hash:
1ecb63625d636b0b8f8ebdece9fa80c3
SHA1 hash:
5623d5ad21fc63893011bae7e4709c51219fcc1c
Link:
https://www.unpac.me/results/e3e08288-8884-4a95-a8c5-fd65b19768b4/
SH256 hash:
a000e28f51f40830d58c277f38b69a9621cd261df82876289ea6e3080ff76928
MD5 hash:
9dbcdd52743d0ccf5ac7223d758a3fc7
SHA1 hash:
01ab24d6591d5d866d179951c39be031ed951508
Link:
https://www.unpac.me/results/e3e08288-8884-4a95-a8c5-fd65b19768b4/
SH256 hash:
96d8fa4ed9afb1473b980e585920a6667fcedd7889928bc766cfb0bcd15f2c10
MD5 hash:
6f6782b162425b563ed3bae1da5bc809
SHA1 hash:
0154f0d0ac5680f7ecc3dc4cc01ad6c17a9f3c5f
Link:
https://www.unpac.me/results/e3e08288-8884-4a95-a8c5-fd65b19768b4/
SH256 hash:
152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2
MD5 hash:
d895b9c76dd01f74ed7ac569214bd908
SHA1 hash:
c4b0c3e114a9d31d7957f873ee0a87731fd16148
Link:
https://www.unpac.me/results/e3e08288-8884-4a95-a8c5-fd65b19768b4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/152d5ef19fdf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/152d5ef19fdfabb482918d51148804bd5227e44e3eb5007dccc347b0ee8585d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344584/

Comments